Successful Implementation of Continuous Controls Monitoring

Transcription

1 Successful Implementation of Continuous Controls Monitoring Mady Cheng, CIA, CISA, CPA, MSBA Franco Lopez, CIA, CISA, CPA, MBA Office of Audits & Advisory Services County of San Diego May 6, 2014 Continuous Controls Monitoring 2

2 Needle in a Haystack? 3 Agenda Building Blocks Process Conceptual Design Project Implementation Deployment Lessons Learned 4

3 Continuous Controls Monitoring Program Building Blocks Approach Structure Data People Communicate Approach Focus on high impact analytics. Less is more. Rank potential analytics based on risk and impact. Solicit input from business process Subject Matter Experts.

4 Data Understand your data (where it comes from, what it means, how it is used in the analytic). Work with DBA. Get data dictionary. Direct Access vs. Extracts. Trust but verify. Test, test, test... User Acceptance Testing. People Cast vision. Gain Buy in from users. What s there for me? Educate users on benefits and regulatory requirements. Set the stage avoid the abusive use of the F word (False Positive). Make system user friendly. Make users job easier, not more difficult. Provide training and user manual.

5 Communicate Communicate, Communicate, Communicate More, Early. Listen. Address complaints and concerns honestly and proactively. Audience oriented Messages What they need to know, what they can understand. Internal (within the organization) vs. External. Management vs. Business Users vs. Technical IT Personnel. Structure Identify key stakeholders. Establish a Sustainable Structure: Steering Committee, Advisory Board, QA, System Admin, Users. System ownership and independence. Monitoring vs. Auditing. Project team: ACL Consultants, IT, Business Process SME, Facilitator. Set expectations. Define roles and responsibilities. Develop policies.

6 Agenda Building Blocks Process Conceptual Design Project Implementation Deployment Lessons Learned 11 Conceptual Design = Put your Building Blocks in action! 12

7 Overview A/P Oracle Centralized Analytics Purchasing PeopleSoft P-Card AX Dept Analytics Group 1 Group 2 Group 3 Dept 1 Dept 2 Dept 3 Dept 4 13 AX Analytics Current Modules P-Card Procure-to-Pay Analytic Objectives Proper Segregation of Duties Proper Authority and Approval Preventing Duplicate Payments Flagging Suspicious Vendors and Transactions Flagging Potential Conflicts of Interest 14

8 P-Card Analytics Monitored by: Depts Purchasing A1. Invalid Cardholder A/P A2. Similar Cardholder Addresses A3. Merchant Employee Match - Tax ID/SSN A4. SOD Inappropriate Cardholder Role A5. SOD Inappropriate Verifier Role A6. SOD Inappropriate Approver Role A7. SOD Approver same as Verifier/Cardholder A9. Same Merchant Same Amount Different Departments A10. Same Merchant Same Amount Same Department A11. Similar Merchants Similar Amounts (P-Card vs. AP Invoice) A12. Lost/Stolen/Suspended Card A13. Disputed Transaction A14. Restricted Word 15 Notifications Day 11: to Monitor AX Monitor Day 21: to Monitor and Manager AX Monitor Manager Day 41: to Monitor, Manager, & Internal Audit AX Monitor Manager Internal Audit 16

9 Team Steering Committee Auditor & Controller Purchasing Director Advisory Board A/P Purchasing Internal Audit System Admin Internal Audit AX Users Core Depts User Depts 17 Roles & Responsibilities Internal Audit Core Depts User Depts System Administration Communication & Coordination X X Continuous Monitoring X X End User Training X X X Advisory Board X X User Group X X X 18

10 Project Implementation Specific Tasks Involved: Functional Requirements Data Requirements User Acceptance Testing Throughout the Project: Monitor project status. Resolve issues. Communicate. Get right people involved. 19 Deployment Plan Communication Advisory Board Meetings User Group Meetings Policies & Procedures Manual System Navigation Exception Resolution Procedures End User Training User Access Setup 20

11 AX User Manual Table of Contents A. Introduction 1. Background 2. Roles and Responsibilities 3. AX User 4. User Access and Security B. System Navigation C. Exception Resolution Procedures A. Process Flowchart B. Procurement Card Analytics 21 AX User Manual Guidelines for Selecting Monitors Understand the concepts of internal controls, continuous monitoring, and fraud prevention. Possess excellent analytical, problem solving, communication, and people skills. Good judgment, tact, organizational acumen. To avoid conflicts of interest, AX Monitors should NOT be current P-Cardholders or Approvers. 22

12 AX User Manual Exception Resolution Procedures A1 Invalid Cardholder Objective: To identify cardholders who are not valid employees (e.g., contractors; retired or temporary employees). Description: Identify all P-Card transactions where the Employee ID of the Cardholder does not exist in the HR File as a valid employee. A valid employee is a cardholder who meets all of the following criteria: o Employee Status = A o Personnel Status = E o Reg_Temp = R 23 AX User Manual Exception Resolution Procedures Reg-Temp Status: R = Regular (Employee with benefits) T = Temporary (Employee with no benefits) Temporary Employees may not participate in the P-Card program unless they have a waiver on file with the P-Card Unit. If exception waiver does not exist, notify P-Card Unit to cancel the card. 24

13 Communication: Sample Slides 25 Why AX System? Industry Best Practice COSO Internal Control framework Monitoring Activities Conduct ongoing and separate evaluations Evaluate and communicate control deficiencies 26

14 Why AX System? External Auditing Requirements Consideration of Fraud in a Financial Statement Audit (AICPA SAS #99). Risk Assessment Standards (AICPA SAS # ). 27 What does it Mean? AX System Strengthen management controls in business processes. Detect potential fraud, waste & abuse. Enable management to identify, investigate, and resolve issues before they escalate. For external audits: may result in fewer audit tests or samples. 28

15 AuditExchange Screenshots 29 30

16 Overview All Entities 31 Overview Specific Entity 32

17 My Exceptions Entity Summary 33 My Exceptions by Analytic 34

18 Exception Details 35 Edit Exception Details 36

19 Lessons Learned 37 Ten Commandments I. Thou shalt have no other analytics besides the high-impact ones. II. Thou (auditor) shalt not make yourself a monitor. III. Thou shalt not take thy data in vain, for the analytics will not forgive those who misuse the data. 38

20 Ten Commandments IV. Remember the run day to keep it going. V. Honor thy Steering Committee and Advisory Board, so that thy program may live long. VI. Thou shalt not murder thy users, even when they complain. VII. Thou shalt not mingle incompatible data. 39 Ten Commandments VIII.Thou shalt steal ideas from user groups. IX. Thou shalt not bear false positives to thy users where possible. X. Thou (User Dept) shalt not covet thy neighbor s analytic results thou have enough trouble of your own. 40

21 Next Steps Maintain User Access Management Analytic Upkeep Upgrades User Training and Communication Strategy and Planning Stakeholder Feedback Design/Establish New Analytics Create Analytics for the Analytics 41 Thank You! 42

22 Contacts Mady Cheng Franco Lopez Office of Audits & Advisory Services County of San Diego 43